Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

2016-02-09 Thread bert hubert
On Mon, Feb 08, 2016 at 10:37:09AM -0500, Jared Mauch wrote: > Or just having the TCP implementation in BIND get improved as it’s clear there > are some more people pushing in this direction. I’m looking at just putting > something like DNSDIST on my hosts to process TCP and balance it across >

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

2016-02-08 Thread Ólafur Guðmundsson
On Sun, Feb 7, 2016 at 2:16 PM, Tony Finch wrote: > Another question: > > In order to minimize responses even further, I have made my code omit or > include signature records depending on whether DO=0 or DO=1. That is, and > ANY query with DO=0 gets one arbitrary unsigned RRset in

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

2016-02-08 Thread Tony Finch
Ólafur Guðmundsson wrote: > Tony: the draft says right now: [...] > > Is that not sufficient ? The most relevant bit in the current draft is: If the DNS query includes DO=1 and the QNAME corresponds to a zone that is known by the responder to be signed, a valid

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

2016-02-08 Thread Tony Finch
Evan Hunt wrote: > > Choose an arbitrary (preferably determinate) rrset to return, and > include its covering signature if it exists and DO=1 so the response can > validate. Right. My code currently just picks the first RRtype it gets from the backend data store (or the type

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

2016-02-08 Thread Jared Mauch
> On Feb 8, 2016, at 10:33 AM, Tony Finch wrote: > > Doing anything more determinate would require an extra loop over the data > to choose, before the loop that builds the response. (Actually I can > probably avoid two loops if I'm clever.) I didn't think I cared enough to > do

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

2016-02-08 Thread bert hubert
On Mon, Feb 08, 2016 at 10:37:09AM -0500, Jared Mauch wrote: > Or just having the TCP implementation in BIND get improved as it’s clear there > are some more people pushing in this direction. I’m looking at just putting > something like DNSDIST on my hosts to process TCP and balance it across >

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

2016-02-07 Thread Tony Finch
Another question: In order to minimize responses even further, I have made my code omit or include signature records depending on whether DO=0 or DO=1. That is, and ANY query with DO=0 gets one arbitrary unsigned RRset in response, and an ANY query with DO=1 gets one arbitrary signed RRset. Is

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

2016-02-07 Thread Evan Hunt
On Sun, Feb 07, 2016 at 02:16:15PM +, Tony Finch wrote: > Is this sensible, and if do should it be suggested by the draft? Yes. I haven't looked in the draft recently, but I thought I mentioned that when I originally described this trick. Choose an arbitrary (preferably determinate) rrset to